Differential D53623

ipfilter: Restrict ipfilter within a jail
ClosedPublic
Actions

Authored by cy on Nov 6 2025, 7:24 PM.

Tags

None

Referenced Files

	F150116397: D53623.id.diff
	Sun, Mar 29, 12:41 PM

	Unknown Object (File)
	Wed, Mar 25, 11:10 AM

	Unknown Object (File)
	Tue, Mar 3, 8:31 AM

	Unknown Object (File)
	Tue, Mar 3, 8:31 AM

	Unknown Object (File)
	Tue, Mar 3, 8:31 AM

	Unknown Object (File)
	Sun, Mar 1, 9:04 PM

	Unknown Object (File)
	Sun, Mar 1, 6:56 AM

	Unknown Object (File)
	Jan 18 2026, 4:12 PM

View All 27 Files

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Commits

rGe3b9f73e126e: ipfilter: Restrict ipfilter within a jail
rG616571ca7727: ipfilter: Restrict ipfilter within a jail
rG65bc0a1ade72: ipfilter: Restrict ipfilter within a jail
rGd9788eabffa4: ipfilter: Restrict ipfilter within a jail

Summary

Add a sysctl/tunable (net.inet.ipf.jail_allowed) to control whether a
jail can manage its own ipfilter rules, pools, and settings. A jail's
control over its own ipfilter rules and settings may not be desireable.
The default is jail access to ipfilter is denied.

The host system can stil manage a jail's rules by attaching the rules,
using the on keyword, limiting the rule to the jail's interface. Or
the sysctl/tunable can be enabled to allow a jail control over its own
ipfilter rules and settings.

Implementation note: Rather than store the jail_allowed variable,
referenced by sysctl(9), in a global area, storing the variable in the
ipfilter softc is consistent with ipfilter's use of its softc.

Discussed with: emaste, jrm
MFC after: 1 week

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 68464
Build 65347: arc lint + arc unit

Event Timeline

cy created this revision.Nov 6 2025, 7:24 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptNov 6 2025, 7:24 PM

cy requested review of this revision.Nov 6 2025, 7:24 PM

Harbormaster completed remote builds in B68464: Diff 165978.Nov 6 2025, 7:24 PM

This revision was not accepted when it landed; it landed in state Needs Review.Dec 8 2025, 4:15 PM

Closed by commit rGd9788eabffa4: ipfilter: Restrict ipfilter within a jail (authored by cy). · Explain Why

This revision was automatically updated to reflect the committed changes.

cy added a commit: rGd9788eabffa4: ipfilter: Restrict ipfilter within a jail.

cy added a commit: rG65bc0a1ade72: ipfilter: Restrict ipfilter within a jail.Jan 5 2026, 8:01 PM

cy added a commit: rG616571ca7727: ipfilter: Restrict ipfilter within a jail.

cy added a commit: rGe3b9f73e126e: ipfilter: Restrict ipfilter within a jail.Jan 5 2026, 8:05 PM

Revision Contents
Changeset List

Path

Size

sbin/

ipf/

libipf/

1 line

sys/

netpfil/

ipfilter/

netinet/

1 line

1 line

ip_fil_freebsd.c

15 lines

1 line

Diff 165978

sbin/ipf/libipf/interror.c

Loading...

sys/netpfil/ipfilter/netinet/fil.c

Loading...

sys/netpfil/ipfilter/netinet/ip_fil.h

Loading...

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

Loading...

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

Loading...